Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

88d7e83b74...bc.exe

windows7-x64

7

88d7e83b74...bc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20230705-en
  • resource tags

    arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
  • submitted
    06/07/2023, 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88d7e83b74f2a3c04658ae1e33977affa625a748b776b36a742ab73281d414bc.exe

  • Size

    150KB

  • MD5

    6cd925574655ceeb750b8c947deafdda

  • SHA1

    db06d6768b00efbd84dbcadcb47c08607e7f1312

  • SHA256

    88d7e83b74f2a3c04658ae1e33977affa625a748b776b36a742ab73281d414bc

  • SHA512

    a91d7d354ec7d910fc90fcfd9d6f53317e2cbd03211f53f4c6a4d9364c5405b70ca45ac2516298209416d7b795b546450207d0e36fbd3478aae0bb845c576a49

  • SSDEEP

    3072:EAe+3aJpgWXTBuWbcqG5GAbKqiNMeAmVngg24ihVmY8uYj7AdV+44MI:XB+pgUzcq6AqKPs4ihWrMz4x

Score
7/10

Malware Config

Signatures

  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88d7e83b74f2a3c04658ae1e33977affa625a748b776b36a742ab73281d414bc.exe
    "C:\Users\Admin\AppData\Local\Temp\88d7e83b74f2a3c04658ae1e33977affa625a748b776b36a742ab73281d414bc.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\88d7e83b74f2a3c04658ae1e33977affa625a748b776b36a742ab73281d414bc.exe
      "C:\Users\Admin\AppData\Local\Temp\88d7e83b74f2a3c04658ae1e33977affa625a748b776b36a742ab73281d414bc.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:796

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nszAE2D.tmp\System.dll
    Filesize

    11KB

    MD5

    a4dd044bcd94e9b3370ccf095b31f896

    SHA1

    17c78201323ab2095bc53184aa8267c9187d5173

    SHA256

    2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

    SHA512

    87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

    Download Submit

  • memory/796-61-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/796-62-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/796-63-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download